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nformation  superiority —  the  ability  to  collect  and  process  an  interrupted  flow  of  in¬ 
formation  while  denying  the  enemy  the  ability  to  do  the  same,  is  not  a  new  concept  for 
the  Department  of  Defense  (DoD).  The  increased  use  of  and  dependence  on  computer 


technology  to  access  and  protect 
this  information,  however,  is  mak¬ 
ing  the  task  of  maintaining  infor¬ 
mation  security  far  more  complex 
than  before. 

The  DoD,  like  other  public  and 
private  sector  communities,  is  a 
computer-dependent  organization. 
The  Defense  Information  Infra¬ 
structure  (Dll)  and  the  DoD  com¬ 
puter  networks  that  control  and 
operate  within  it  are  becoming  in¬ 
creasingly  vulnerable  to  electronic 
attacks.  This  DoD  information  su¬ 
perhighway  is  becoming  a  "cyber 
battlefield"  where  the  protection 
afforded  by  previous  traditional 
geographical  boundaries  is  dimin¬ 
ished,  and  a  threat  to  one  DoD 
computer  system  is  potentially  a 
threat  to  all  DoD  computer  sys¬ 
tems. 

Recognizing  this  threat,  the  DoD 
created  the  Joint  Task  Force-Com¬ 
puter  Network  Defense  (JTF-CND), 
the  first  DoD  organization  of  its  kind 
to  be  the  department's  focal  point  for 
the  defense  of  its  computer  systems 
and  networks. 

Following  an  extensive  review  of 
the  proposed  JTF-CND's  location, 
mission,  and  organization,  it  was  de¬ 
cided  to  locate  the  JTF-CND  in 
Washington,  D.C.,  with  the  Defense 
Information  Systems  Agency  (DISA) 
as  its  supporting  agency.  This  would 
allow  the  JTF-CND  to  be  collocated 
with  DISA's  Global  Operations  and 
Security  Center  (GOSC)  and  to  lever¬ 
age  DISA's  existing  global  presence 
with  the  unified  commands,  its  es¬ 
tablished  liaisons  with  the  law  en¬ 
forcement  community,  and  its  net- 

www.iatac.cltic.miS 


work  operational  view,  intrusion 
analysis,  and  core  technical  capabili¬ 
ties.  The  JTF-CND  is  under  the 
command  of  Air  Force  Maj.  Gen. 
John  H.  Campbell  (pictured  above). 

Defense  Secretary  William  Cohen 
assigned  the  JTF-CND  the  following 
mission:  "Subject  to  the  authority,  di¬ 
rection,  and  control  of  the  SECDEF, 
JTF-CND  will,  in  conjunction  with 
the  unified  commands,  Services,  and 
agencies  be  responsible  for  coordi¬ 
nating  and  directing  the  defense  of 
DoD  computer  systems  and  com¬ 
puter  networks.  This  mission  in¬ 
cludes  the  coordination  of  DoD  de¬ 
fensive  actions  with  non-DoD  gov¬ 
ernment  agencies  and  appropriate 
private  organizations." 

With  the  JTF-CND's  location, 
command,  and  mission  in  place,  the 
Director,  Joint  Staff  (DJS)  directed  a 
working  group  be  formed  composed 
of  representatives  from  the  military 
services,  Joint  Staff,  Defense  agen¬ 
cies,  and  unified  commands. 
These  experts  were  asked  to  fur¬ 


ther  refine  the  mission,  help  de¬ 
termine  mission  organizational 
functions,  command  relationships, 
budget,  and  manpower  authoriza¬ 
tions,  and  lastly,  develop  the  con¬ 
cept  of  the  operations  (CONOP) 
for  the  JTF-CND. 

In  August  the  working  group 
began  meeting  daily  to  build  the 
JTF-CND.  The  group  agreed  to 
several  key  assumptions: 

•  DISA  would  support  the  JTF- 
CND  and  provide  administra¬ 
tive,  resource  management, 
logistical,  and  public  affairs  sup¬ 
port. 

•  The  JTF-CND  would  not  be  a 
deployable  asset. 

•  The  JTF-CND  would  depend  on 
intell  igence  community  support. 

•  Initial  operational  capability 
(IOC)  was  established  on  30 
December  1998,  requiring  at  least 
10  personnel,  and  would  need  to 
fulfill  7  of  the  11  mission  organiza¬ 
tional  functions. 

•  Full  operational  capability  (FOC) 
would  need  to  be  achieved  no 
later  than  6  months  after  IOC. 

T he  worki ng  group's  f  i rst  task  was 
to  further  develop  the  11  mission  or¬ 
ganizational  functions.  Those  func¬ 
tions  included  key  responsibilities 
such  as  determining  whether  the 
Dl  l  was  under  a  strategic  attack,  de¬ 
termining  the  impact  an  attack 
could  have  on  military  operations, 
coordinating  and  directing  actions  to 
stop,  contain,  and  restore  DoD's  crit¬ 
ical  networks,  and  assessing  the  ef¬ 
fectiveness  of  computer  network  at¬ 
tack  restoration  actions. 

continued  on  page  4 
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graphical  boundaries.  planning  and  course  of  action  devel- 

The  JTF-CND,  although  opment  are  conducted  with  a  de- 

responsible  for  CND  tailed  view  of  existing  operations 

throughout  the  Dll,  and  plans.  The  J2  (Director  for  I ntel- 

would  not  direct  a  C INC  ligence)  will  pull  existing  intelli- 

how  to  defend  that  gence  products  throughout  the  intel- 

C INC's  networks  within  ligence  community,  including  those 

his  or  her  AOR.  Third,  available  from  the  National  Security 

the  identification  of  Agency,  the  Defense  Intelligence 

forces  (Service  compo-  Agency,  the  military  services,  and 

nents)  was  unknown.  the  National  Infrastructure  Protec- 

That  particular  challenge  tion  Center  (NIPC). 

extended  to  the  Services  Operating  on  a  24-hours,  7-days-a- 
as  each  grappled  with  se-  week  basis,  the  JTF-CND  will  fuse 

lecting  a  force  that  could  the  operational,  intelligence,  and 

blend  a  network  opera-  technical  view  of  computer  net- 

tion  with  intrusion analy-  works  riding  the  Dll.  In  turn,  the 

Figure  1.  JTF-CND  Organization  sis  and  network  defense.  JTF-CND  will  develop  and  promul- 

Given  the  JTF-CND's  assumptions,  All  were  available  but  not  within  the  gate  cohesive,  synchronized,  and  co¬ 
mission  organizational  functions,  and  same  command  structure.  ordinated  CND  solutions  to  mitigate 

large  area  of  responsibility  (AOR),  the  With  these  challenges  identified,  and  defeat  computer  network  at- 
working  group  then  determined  the  how  will  the  JTF-CND  execute  its  tacks  on  the  Dll.  The  speed  of  at- 

organizations'  personnel  structure  mission?  First,  the  JTF-CND  will  tacks,  the  boundless  nature  of  cyber- 

(see  Figure  1).  The  group  decided  that  leverage  existing  capabilities  space,  and  the  challenges  of  identi- 

the  JTF-CND  would  have  24  people,  through  a  host  of  agencies  and  orga-  fying  the  enemy  demand  the  JTF- 

which  included  traditional  staff  com-  nizations,  particularly  the  DISA  CND  work  in  near  real-time  to  ac- 

ponents.  The  small  number  of  per-  GOSC  and  its  standing  relationships  complish  its  mission, 

sonnet  assigned  to  the  JTF-CND  die-  within  the  CND  community.  The  Although  many  questions  still 

tated  that  some  of  the  traditional  staff  GOSC's  intrusion  detection  and  must  be  answered  and  new  proce- 

elements  be  combined  (i.e.,  J1/J4/J8,  analysis  through  its  Automated  Sys-  dures  established,  the  DoD  is  com- 

J3/J6,  and  J5/J7)  and  that  DISA  em-  tern  Security  Incident  Support  Team  mitted  to  defending  its  computer 

ployees  provide  administrative,  re-  (ASSIST)  will  serve asthe  immediate  networks  and  gaining  and  maintain- 

source  management,  logistical,  and  technical  arm  of  the  JTF-CND.  The  ing  information  superiority.  And 

public  affairs  support.  It  was  deter-  JTF-CND  and  the  GOSC,  sharing  the  today,  the  JTF-CND  can  help  lead 

mined  that  the  JTF-CND  would  also  same  facility,  will  ensure  a  close  this  crucial  fight, 

have  its  own  Staff  Judge  Advocate  to  working  relationship  and  provide  for 

remain  cur  rent  with  the  laws  affect  ing  the  further  leveraging  of  all  techni-  L7U  Immb  nxeiv&i  his  B.S.  in  General 

information  operations,  intelligence  cal  capabilities  throughout  DISA.  Engineering  from  Hftst  Point  and  a  MS.  in 

oversight,  and  counter-intelligence,  The  J3  (Director  of  Operations)  will  Education  fmm  the  University  of  South 

including  domestic  and  international  coordinate  with  the  National  Mili-  Caivlina.  He  is  currently  the  Defense 

laws  affecting  informat  ion  defense  op-  tary  Command  Center  (NMCC)  and  information  Systems  Agency  (DISA)  liaison 

tions.  the  operation  centers  in  the  unified  to  the  Joint  lask  Foive  for  Computer  Network 

The  working  group's  greatest  commands  to  ensure  CND  efforts  Defense. 


challenge  was  defining  how  the  JTF- 
CND  would  actually  conduct  its  mis¬ 
sion  to  coordinate  and  direct  the 
computer  network  defense  of  the 
Dll.  There  were  several  issues  to 
consider.  First,  the  JTF-CND  had  a 
unique  DoD  mission  that  did  not 
correlate  well  to  the  traditional  JTF 
structure.  For  example,  the  JTF-CND 
reported  to  the  Secretary  of  Defense, 
not  a  commander- in -chief  (CINC), 
and  was  analogous  to  a  supporting 
command.  Second,  the  AOR  crossed 
traditional  unified  command  and 
military  service  and  agency  geo- 
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are  coordinated  and 
with  ongoing  mili¬ 
tary  operations.  Sim¬ 
ilarly,  the  J5/J7  (Di¬ 
rector  for  Plans  and 
Exercises)  will  reach 
out  to  the  comman¬ 
der-in-chief  informa¬ 
tion  operations  cells 
and  the  National  Co¬ 
ordinating  Center 
for  Telecommunica¬ 
tions  of  the  National 
Communications 
System  to  ensure 


synchronized 
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Information  Assurance  Certification  Program 


t  U.  S.  Atlantic  Command  (US¬ 
ACOM)  Headquarters,  the  Infor¬ 
mation  Assurance  (I A)  Branch, 
established  in  November  1997,  is 
responsible  for  ensuring  the  availabil¬ 
ity,  integrity,  confidentiality,  nonre¬ 
pudiation,  and  authentication  of  col¬ 
lateral  automated  information  sys¬ 
tems  (A  IS)  and  the  information  with¬ 
in  those  systems  in  support  of  com¬ 
mand,  control,  communications,  and 
computers.  As  the  number  of  Depart¬ 
ment  of  Defense  (DoD)  systems  are 
interconnected  through  local  and 
wide  area  networks  increases, so  do 
the  opportunities  for  concerted  at¬ 
tacks  against  USACOM  AIS  assets. 

To  protect  command  systems  and 
the  data  they  contain  from  being  ex¬ 
ploited,  the  IA  Branch  has  developed 
training  programs,  invested  in  intru¬ 
sion  detection  tools,  developed  securi¬ 
ty  policies,  and  created  an  I A  Certifi¬ 
cation  Program.  For  a  truly  effective 
security  program  all  these  aspects  of 
protecting  computer  systems  must  be 
consistently  used  throughout  US¬ 
ACOM.  Additionally,  the  cooperation 
of  all  command  personnel  is  required 
to  protect  the  integrity  of  shared  data. 
To  highlight  one  of  the  ways  the  I A 
Branch  is  maintaining  USACOM's  AIS 
security  posture  this  article  focuses  on 
the  IA  Certification  Program. 

HOW  THE  IA  CERTIFICATION 
PROGRAM  WORKS 

The  I A  Certification  Program  is 
mandatory  for  all  assigned  users 
and  system  administrators  (SA) 
and  is  divided  into  the  following 
three  courses— 

•  New  Users— addresses  the  local 
area  network  operating  environ¬ 
ment,  e-mail  transmissions,  and 
various  application  software  pro¬ 
grams,  along  with  physical  and 
system  security 


•  Security  Refresher— includes  cur¬ 
rent  security  information  along 
with  information  gathered  from 
various  computer  security  updates. 

•  System  Administrators— follows  an 
intense  training  track  involving 
computer-based  training  (CBT) 
modules  and  a  ski  1 1- level  checklist. 

The  following  paragraphs 
overview  each  course. 

NEW  USERS  COURSE 

New  users  are  required  to  view  the 
DoD  Information  Security  (INFOSEC) 
Awareness  CBT  compact  disc  (CD). 
The  INFOSEC  CBT  CD  is  distributed 
by  the  Defense  Information  Systems 
Agency  (DISA)  and  contains  informa¬ 
tion  on  public  law,  information  secu¬ 
rity,  malicious  logic,  external  threat 
methodologies  and  techniques,  along 
with  the  individual's  role  and  respon¬ 
sibility  in  protecting  information 
available  through  computer  systems. 

For  the  New  Users  course,  US¬ 
ACOM  has  incorporated  the  informa¬ 
tion  contained  in  the  INFOSEC  CBT 
CD  with  an  instructor- led  class,  certi¬ 
fication  testing,  and  the  requirement 
for  all  new  users  to  sign  a  letter  ac¬ 
knowledging  their  roles  and  responsi¬ 
bilities  for  protecting  the  security  of 
the  systems  to  which  they  have  been 
granted  access.  Before  new  users  are 
issued  a  certification  certificate,  they 
must  complete  each  part  of  the  New 
Users  course. 

SECURITY  REFRESHER  COURSE, 

Users  who  comm  it  serious  security 
violations  (e.g.,  sharing  passwords, 
misclassifying  documents)  are  re¬ 
quired  to  retake  the  certification  test, 
required  of  all  new  users  and  de¬ 
scribed  in  the  course  above,  and  to  at¬ 
tend  the  Security  Refresher  Course. 
Their  network  accounts  are  locked 


until  they  successfully  complete  the 
process  for  re-certification. 

SYSTEMS  ADMINISTRATORS  COURSE 

Various  military  exercises  have  re¬ 
vealed  the  need  to  ensure  consistent 
verifiable  ski  II  sets  for  individuals  who 
function  as  systems  administrators  in 
the  system  security  arena.  USACOM 
developed  procedures  for  SA  certifica¬ 
tion  based  on  DoD  Interim  Guidance. 
For  the  Systems  Administrators 
course,  SAs  are  required  to  complete 
Operational  Information  System  Se¬ 
curity  CBT  Volumes  I  and  II,  in  addi¬ 
tion  to  the  DOD  INFOSEC  CBT  The 
additional  CBTs  address  several  topics, 
including  legal  and  regulatory  issues, 
security  incidents,  trusted  systems, 
workstation  security,  network  securi¬ 
ty,  risk  management,  auditing,  and 
encryption. 

Additionally,  SAs,  along  with  their 
supervisors,  are  required  to  complete 
a  Job  Qualification  Requirements 
(JQR)  checklist,  which  identifies  the 
SA's  skill  level  in  performing  neces¬ 
sary  tasks  on  the  USACOM  systems. 
The  checklist  ,  in  conjunction  with 
the  DoD  CBTs  and  SA-signed  letter  of 
acknowledgement,  is  a  key  factor  of 
USACOM's  SA  certification  process. 

USACOM's  Certification  Program  is 
only  the  first  step  of  many  to  bring  se¬ 
curity  to  the  forefront  in  our  informa¬ 
tion  dependent  environment.  We 
must  understand  that  it  takes  a  coor¬ 
dinated  effort  by  all  to  protect  our  in¬ 
formation  networks. 


Captain  Johnson  received  his  B.S.  in 
Computer  Science  from  North  Carolina  A&T 
Stale  University.  He  is  cuirentiy  the 
Common  ica  t ions  Computer  Systems 
Information  Officer  at  USACOM  in  the 
Information  Assurance  Branch.  His  focus  is 
training  certification  and  polky/prxxredures 
for  the  Computer  Intrusion  Response  Team 
He  may  be  reached  atjohmonr@)acom.  mil. 
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Information  Systems 

Security  The  New  Arms  Race 

for  the  Information  Age 


When  Almon  B.  Strowger  was 
an  undertaker  in  Kansas 
City  in  1889,  he  discovered  a 
local  telephone  operator  was 
compromising  his  funeral  busi¬ 
ness.  Apparently,  each  time 
prospective  customers  called  the 
local  telephone  operator  to  inquire 
about  available  undertakers,  the 
operator-who  happened  to  be  the 
girlfriend  of  Strowger's  local  com¬ 
petition  in  the  undertaking  busi¬ 
ness  across  town-would  direct 
them  to  her  friend.  In  response, 
Strowger  decided  to  create  an  au¬ 
tomatic  switchboard  that  would 
eliminate  all  operator  interven¬ 
tion;  that  is,  he  set  out  to  remove 
human  access  to  the  control  of  the 
switch  mechanism.  Not  only  did 
the  first  "Strowger  Switch"  go  into 
commercial  operation  in  the  Unit¬ 
ed  Kingdom  in  1892,  but  also 
many  remain  in  operation  today.1 

The  key  point  behind  Strowger's 
invention-to  deny  human  access  to 
the  control  of  the  information  sys¬ 
tem-remains  a  critical  aspect  in  pro¬ 
tecting  modern  data  networks  from 
being  compromised  by  hackers.  Un¬ 
fortunately,  protecting  today's  data 
network  architecture— in  which  con¬ 
trol  pathways  are  mixed  with  com¬ 
munications  pathways  and  global 
systems  are  increasingly  intercon¬ 
nected  via  the  Internet— is  a  far 
more  complicated  task  than  isolating 
one  circuit  switch  as  Strowger  did. 

Modern  data  networks  are 
based  on  information  packets  that 
are  exchanged  between  the  ele¬ 
ments  that  compose  the  network. 
These  various  "commands"  origi¬ 
nate  from  both  client  terminals 
and  server  terminals,  including 
packet  data  switches,  and  instruct 
the  network  when  to  set  up  a  con¬ 
nection,  tear  down  a  connection, 


action,  etc.  The  vulnerability  this 
"open  architecture"  creates  is  a 
hacker  need  only  compromise  one 
of  these  commands  to  gain  access 
to  an  information  source  connect¬ 
ed  to  a  network.  When  this  ex¬ 
ploitation  has  occurred,  the  entire 
network  becomes  vulnerable  to 
further  attacks. 

Now  consider  that  about  3  mil¬ 
lion  computers  and  20  million 
users  compose  the  Internet.  Daily, 
an  increasing  number  of  business 
and  financial  processes  and  ser¬ 
vices  are  automated.  These  new 
networks  are  continually  placed 
on  the  World  Wide  Web.  The  cur¬ 
rent  metric  is  that  this  global  net¬ 
work  of  networks  is  doubling 
every  8  months.  The  high  degree 
of  interoperability  of  this  burgeon¬ 
ing  network  is  achieved  via  an  es¬ 
tablished  and  mandated  set  of  pro¬ 
tocols  specified  by  the  Internet  Ar¬ 
chitecture  Board.  The  enforce¬ 
ment  mechanism  applied  is  sim- 
ple-if  you  bring  your  network  to 
the  Internet  it  either  complies 
with  these  protocols  or  it  doesn't 
connect. 

This  ever-increasing  reliance  on 
data  networks  by  the  corporate 
world  and  small  businesses  and 
governmental  agencies  is  creating 
an  environment  where  organiza¬ 
tions’  data  networks  are  becoming 
increasingly  interconnected.  This 
exponential  growth  in  intercon¬ 
nects,  in  turn,  creates  more  avail¬ 
able  pathways  for  hackers  to  ex¬ 
ploit.  Thus,  the  dilemma  facing 
the  corporate  world,  small  busi¬ 
ness,  and  government  is  how  to 
balance  the  openness  of  today's 
networks  with  security. 

These  opposing  concepts  have 
created  an  environment  in  which 
hackers  are  continually  develop¬ 
ing  new  ways  to  exploit  data  net¬ 


works,  while  network  administra¬ 
tors  are  scrambling  to  develop  ad¬ 
ditional  ways  to  protect  these 
same  networks.  The  result  is  a 
new  "arms  race"  for  weapons  that 
will  either  penetrate  or  protect 
networks.  The  irony  of  conducting 
such  a  race  in  today's  new  infor¬ 
mation  age  is  that  in  many  cases 
the  Web  itself-with  more  than 
30,000  sites  devoted  to  how  to  ex¬ 
ploit  data  networks  -offers  would- 
be  hackers  a  wealth  of  easy-to-ac- 
cess  information  on  attacking 
computer  systems. 

HOW  HACKERS  OPERATE 

Hackers  begin  their  attack  by 
first  conducting  a  reconnaissance 
of  their  target  networks  using 
common  hacking  tools  such  as 

•  WHOIS  -  gathers  information 
from  the  InterNIC 

•  DNSLOOKUP  -  identifies  associ¬ 
ated  network  systems 

•  FINGER  -  identifies  users  and 
accounts 

•  NetScan  -  provides  a  suite  of 
information  gathering  tools 

•  WhatsUp  -  provides  a  network 
mapping  and  monitoring  utility 

•  Strobe  -  provides  an  automated 
port  scanning  tool. 

Each  of  these  tools  is  easily  ob¬ 
tained  at  no  cost  via  the  various 
hacker  Web  sites.  T he  only  excep¬ 
tion  is  NetScan,  which  costs  about 
$30.  Yet  hackers  can  always  use 
another  tool  to  bypass  the  need  for 
proper  registration  and  avoid  pay¬ 
ing  this  fee. 

After  conducting  their  recon¬ 
naissance,  hackers  then  exploit 
the  network  they’ve  chosen  to  at¬ 
tack  by  compromising  common 
protocols  that  are  built  into  the  tar¬ 
get  network  itself,  i.e.,  File  Trans- 
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fer  Protocol  (FTP),  Remote  Shell 
(RSH),  and  Trivial  File  Transfer 
Protocol  (TFTP),  in  an  attempt  to 
capture  the  password  file.  The  lo¬ 
cated  password  file  is  then 
"cracked"  using  a  software  tool 
such  as  John  the  Ripper-the  latest 
password-cracking  software  on  the 
market.  At  this  point,  the  hacker 
achieves  root  access  and  super 
user  privileges  and  creates  a  "back¬ 
door"  account  into  the  network  so 
the  hacker  can  reenter  the  net¬ 
work  at  any  time  without  detec¬ 
tion.  Finally,  the  hacker  "covers 
his  tracks"  by  eliminating  all  traces 
that  he  has  manipulated  the  sys¬ 
tem,  except  for  the  presence  of  the 
innocuous  backdoor.2 

WHAT  NETWORK  ADMINISTRATORS 
CAN  DO  TO  PROTECT  THEIR  NET¬ 
WORKS 

Without  question  the  best  de¬ 
fense  against  hackers  exploiting 
known  vulnerabilities  in  a  net¬ 
work  is  for  network  administrators 
to  exercise  good  password  manage¬ 
ment.  But  what  readily  available 
defensive  tools  do  network  admin¬ 
istrators  have  at  their  disposal  to 
ensure  this?  Consider  the  follow¬ 
ing  security  techniques: 

•  To  limit  access,  servers  can  con¬ 
tain  lists  of  authorized  users  and 
their  passwords  so  that  to  con¬ 
nect  to  the  server,  a  client  must 
enter  an  authorized  User  ID  and 
password. 

•  To  ensure  UserlD  and  pass¬ 
words  are  not  "sniffed"  by  hack¬ 
ers  during  the  login  process, 
Secure  Socket  Layer  v3(SSL)  can 
be  employed.  Most  network  and 
Web  servers  support  connec¬ 
tions  over  SSL,  which  encrypts 
the  session  from  the  user's  Web 
client  to  the  Web  server.  This 
encryption  occurs  before  any 
user  login  or  data  transfer 
process  begins.  It  protects  the 
login  process  and  the  data  trans¬ 
ferred  to  and  from  the  Web  serv¬ 
er.  Unfortunately,  the  encryp¬ 
tion  algorithms  used  are  not 
robust  enough  for  classified 
material  and  can  be  broken  by 
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off-line  processing  in  as  little  as 
3  days  using  machines  that  cost 
as  little  as  250K. 

•  To  limit  access  to  all  registered 
hosts  and  workstations  in  a  spe¬ 
cific  Internet  domain  (i.e., 
ARMY.MIL),  most  Web  server 
software  has  a  configuration 
option  that  implements  Reverse 
DNS  Lookup.  When  any 
Internet  client  connects  to  an 
I  nternet  server,  the  TCP/ 1 P  con- 
nection  process  provides  the 
server  the  IP  address  and  host- 
name  of  the  Internet  client. 
Reverse  DNS  Lookup  takes  the 
provided  IP  address  and  queries 
the  domain  name  server  to  get 
the  hostname.  If  the  DNS 
lookup  process  is  successful,  it 
indicates  that  the  client  is  a 
domain  member  (a  member  of 
ARMY.MIL)  and  the  IP  address 
and  hostname  match  (a  crude 
form  of  identification  and 
authentication  of  the  Internet 
client).  Only  if  the  Reverse  DNS 
Lookup  is  successful,  is  the 
client  allowed  to  access  the  Web 
server  application  on  the 
I  nternet  server. 

•  To  further  restrict  access,  a  list 
of  authorized  IP  networks  or 
individual  IP  host  addresses 
can  be  created.  This  list  of 
allowed  and  denied  addresses 
can  be  entered  at  the  Web  serv¬ 
er.  For  UNIX  machines,  a  TCP 
Wrapper  or  a  hosts. deny  list 
can  be  used.  For  NT  Servers 
running  Microsoft  Web  Server, 
this  technique  is  managed 
through  the  Web  software. 

•  To  authenticate  users  to  Web 
servers,  user-level  X.509  certifi¬ 
cates  can  be  used  in  place  of 
UserlD/passwords.  These  certifi¬ 
cates  provide  a  more  scalable 
solution  than  creating  individual 
accounts  on  each  Web  server. 

•  To  limit  who  (UserlD)  can 
access  a  file,  many  operating 
systems  allow  files  to  have 
assigned  Access  Control  Lists 
(ACL).  If  a  user  login  is  used, 
ACLs  can  further  restrict  access 
to  areas  on  the  Web  server  to 
authorized  users. 


Comparatively,  only  1,200  sites 
are  devoted  to  banking  with  more 
than  600,000  sites  devoted  to  conspiracy 
theories  (AXENT  SWAT  Team),  - 

Forty-three  percent  of  organiza  - 
tions  that  experienced  a  security  breach 
1  said  it  cost  them  more  than  $5  million 
(Information  Security  News). 

j.  Only  55  percent  of  U.S.  com  pa  - 
[■  nies  surveyed  actively  monitor 
network  and  system  activity  for 
security  threats.  Nearly  60  percent  of 
those  surveyed  cited  lack  of  money  as  an 
obstacle  for  addressing  security  concerns 
(Information  Week/Ernst  &  Young). 

Companies  will  spend  more  than 
$6.3  billion  this  year  to  bring  in  com¬ 
puter  security  expertise  and  software. 
f;  Within  3  years,  companies  are  expected  to 
spend  nearly  $13  billion  (Dataquest). 


•To  further  limit  who  sees  what 
on  a  Microsoft  Web  server, 
Microsoft  offers  Active  Server 
Pages  (ASP),  which  allows  each 
Microsoft  Web  page  to  be 
dynamically  created  depending 
on  who  is  signed  on.  Because 
this  tool  is  for  Microsoft  prod¬ 
ucts  only,  it  should  be  used  with 
caution  and  not  considered  a 
"standard"  means  to  protect  Web 
access. 

•  For  Windows  NT  servers,  user 
access  can  further  be  restricted 
to  specific  hours  and  days  of  the 
week.  If  this  tool  is  enabled, 
specific  User  IDs  can  access  the 
Web  server  only  during  specific 
time  periods. 

In  addition  to  these  techniques, 
network  administrators  can  build 
far  more  elaborate  network  securi¬ 
ty  architectures.  For  example,  In¬ 
trusion  Detection  Software  (IDS) 
systems  will  constantly  screen  all 
Internet  Protocol  (IP)  traffic  for 
unauthorized  entries.  To  achieve, 
this,  IDS  scans  data  traffic  for  pro- 
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About  25  percent  of  ail  attacks  ar  e 

denial  Of  Service.  One  of  the  most  pop¬ 
ular  hacker  attacks  remains  "denial  of  ser¬ 
vice"  initiatives  that  disrupt  phone,  banking, 
e-commerce,  and  other  key  infrastructure 
services  but  do  not  actually  steal  any  elec¬ 
tronic  data. 

One  of  the  easiest  ways  to  gain 
access  to  information  is  to  get  a 
job.  44  percent  of  computer  security 
breaches  are  from  unauthorized  employee 
access  to  information. 

The  threat  from  outside  the  com  - 
pany  has  skyrocketed.  54  percent  of 
companies  report  that  their  Internet  connec- 
tion  is  a  frequent  point  of  hacker  attacks.  • 

Sixty-four  percent  of  companies 
reported  computer  security 
breaches  between  March  1997  and 
February  1998.  Seventy-two  percent  of  these 
breaches  caused  financial  losses/damages. 

—  Computer  Security  Institute 

The  number  of  Internet  users  rose 
more  than  150  percent  last  year  , 
with  more  than  130  million  users  already 
online  (IDC  Research).  In  addition,  the  num¬ 
ber  of  remote  access  users  will  grow  from 
more  than  15  million  in  1997  to  more  than  54 
million  users  by  the  year  2002  (Gartner 
Group). 

More  than  250,000  laptop  comput  - 
ers  were  reported  stolen  in  1996  , 

representing  a  27  percent  increase  from  1995 
and  a  loss  of  more  than  $800  million  in  hard¬ 
ware  and  software  assets  (Safeware 
Insurance). 

Arrests  for  computer  crimes  sky  - 
rocketed  950  percent  from  four  in  fis¬ 
cal  1996  to  42  in  fiscal  1997.  Convictions 
increased  88  percent  from  16  to  30  (FBI 
reports). 


files  within  data  packets  that  indi¬ 
cate  hacker  activity.  These  pack¬ 
ages  are  normally  installed  on  a 
workstation  connected  to  a  device 
known  as  a  security  router,  which 
routes  all  IP  traffic  to  the  IDS.  The 
IDS  system  is  installed  where  the 
private  network  connects  to  the 
public  Internet.  Firewalls,  which 
are  designed  to  deny  entry  by 
unauthorized  users,  can  also  be  in¬ 
stalled  at  network  entry  points  or 
in  front  of  a  server  with  company 
sensitive  information.  Other 
evolving  capabilities  include  pub¬ 
lic  key  infrastructure  (PKI),  which 
uses  public  and  private  encryption 
keys  for  all  data  transactions  over 
the  Internet  or  within  an  Intranet, 
and  virtual  private  networks 
(VPN),  which  literally  create  a  pri¬ 
vate  network  within  a  public  net¬ 
work. 

Overall,  defensive  measures 
can  be  divided  into  three  parts-pre- 
vention,  detection,  and  response 
or  reaction.  Prevention  consists  of 
procedural  fixes  such  as  pass¬ 
words,  user  certification,  firewalls, 
as  well  as  both  physical  and  per¬ 
sonal  security  measures.  For  ex¬ 
ample,  awareness  training  among 
a  company's  workforce  can  be 
highly  effective  in  building  defens¬ 
es  against  breaches  of  security. 
Detection  of  intrusion  can  be 
achieved  either  by  constantly  re¬ 
viewing  systems  logs  for  unautho¬ 
rized  activity  or  by  installing  IDS 
systems  that  can  be  connected  to 
alarm  and  alert  notification  sys¬ 
tems.  Finally,  responses  consists 
of  timely  activities  such  as- 

•  Changing  all  password  files 

•  Requiring  all  users  to  re- 
authenticate 

•  Rerouting  data  traffic 

•  Tightening  IP  filters  and  fire¬ 
walls 

•  Enforcing  certificate  revocation 

•  Taking  the  system  down  and 
rebooting  it 

•  Disconnecting  a  network  com¬ 
pletely  from  all  external  net¬ 
works 


This  last  response,  the  most  ex¬ 
treme  measure  of  a  1 1 ,  works  for  ex¬ 
terna  I  attacks  but  not  internal  at¬ 
tacks.  Tracking  an  insider  is  both 
easy  and  challenging;  easy  be¬ 
cause  the  attacker  is  contained 
and  can  be  traced  and  challenging 
because  this  attacker  usually  pos¬ 
sesses  inside  information,  i.e.,  he 
or  she  knows  the  network  and  all 
its  faults  and  traps. 

THE  CATCH-22  IN  DEFENDING  NET¬ 
WORKS  FROM  HACKER  ATTACKS 
Ultimately,  the  same  sophisti¬ 
cated  technologies  available  to 
network  administrators  are  also 
available  to  hackers.  Consequent¬ 
ly,  as  defensive  measures  are  en¬ 
hanced  so  are  the  tools  of  the 
hacker  trade.  The  recently  re¬ 
leased  "Back  Orifice"  by  the  Cult  of 
the  Dead  Cows,  for  example,  rep¬ 
resents  a  significant  threat  to  exist¬ 
ing  defensive  capabilities.  This 
tool  was  revealed  at  a  hacker  con¬ 
vention  called  DEFCON  6.0  from 
August  1  to  2,  1998.  The  conven¬ 
tion  is  an  annual  gathering  of 
about  2,500  active  anarchists  and 
hackers  from  around  the  United 
States  and  is  organized  by  person¬ 
nel  of  several  information  technol¬ 
ogy  vendors,  most  headquartered 
in  the  Washington,  DC,  area.  The 
significance  of  this  "7BACK  ORI¬ 
FICE?"  is  that  the  product  works 
effectively  against  all  Microsoft  op¬ 
erating  systems  with  a  version  ex¬ 
pected  soon  to  work  against  Unix 
operating  systems.  It  is  designed 
to  be  used  by  people  of  little  tech¬ 
nical  capability  and  can  be  sent  to 
a  system  as  a  software  upgrade  to 
any  Microsoft  operating  system.  It 
is  only  123  kilobytes  in  size  and 
can  be  totally  configured  to  in¬ 
clude  name  and  port  of  operation 
and  be  encrypted  and  appended  to 
any  application  on  the  system. 
When  it  is  attached,  the  infected 
system  acts  as  a  client  to  the  pro¬ 
gram  and  full  operation  of  the  sys¬ 
tem  belongs  to  the  sending  server. 
The  only  systems  that  cannot  be 
affected  are  those  that  never  con¬ 
nect  to  the  Internet.3 

continued  on  page  19 
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Training  &  Awa  reness  Products 


Operational  Information"  Systems  Secu- 

rity  (01SS),  VoL  h  . '  ; 

This  interactive  CD-ROM  pro¬ 
vides  the  user  with  an  introduction 
mmmh  to  OISS,  including  its 
definition,  evolution, 
— —  and  legal  and  regulato- 
ry  issues  associated 
. .  with  OISS.  Topics  cov¬ 
ered  include  threats  to  Information 
Systems  Security,  examples  of  secu¬ 
rity  violations,  incident  indicators 
and  reporting  procedures,  Trusted 
Systems,  and  the  certification  and 
accreditation  of  systems.  The  roles 
and  responsibilities  of  the  ISSO, 
ISSM,  SISSM,  and  SDSO  are  dis¬ 
cussed.  In  addition,  users  may  per¬ 
form  exercises  at  the  end  of  each 
module  to  test  their  comprehension. 
A  glossary  of  terms  and  points  of 
contact  within  the  INFOSEC  com¬ 
munity  are  provided  for  reference. 
This  product  is  based  upon  the  NSA 
course  ND225,  Operational  Informa¬ 
tion  Systems  Security.  1998  EMMA 
Award  nominee 

Operational  Information  Systems  Secu¬ 
rity  (OISS),  Voi.  2 

■pppnBMj  This  interactive  CD- 
ROM  continues  with 
E,  /I,  OISS,  including  work- 
station,  network,  and 
storage  media  security, 
as  well  as  encryption,  malicious  ac¬ 
tivity,  risk  management,  and  audit¬ 
ing.  Topics  covered  include  worksta¬ 
tion  and  operating  systems  basics, 
network  basics  (including  vulnera¬ 
bilities,  examples  of  violations,  and 
security  services/devices),  and 
types/handi ing  of  storage  media  se¬ 
curity.  Encryption,  malicious  code 
(including  the  spread  and  detec¬ 
tion/prevention  of  malicious  code, 
with  an  emphasis  on  viruses),  fun¬ 
damentals  of  risk  management,  and 
auditing  goals  are  also  discussed.  In 
addition,  users  may  perform  exercis¬ 
es  at  the  end  of  each  module  to  test 
their  comprehension.  The  CD-ROM 


\  can  be  lihked  to  your  website  for 
testing  purposes.  ;  1 

A  glossary  of  terms  and  points  of 
contact  within  the  INFOSEC  com¬ 
munity  are  provided  for  reference. 
This  product  is  based  upon  the  NSA 
course  ND225,  Operational  Informa¬ 
tion  Systems  Security. 

DOD  INFOWAR  Basics 

This  interactive  CD- 
ROM  defines  Defen¬ 
sive  Information  \Nar- 
fare  (IW-D)  and  details 
its  evolution.  Basic 
principles  of  INFOWAR  are  dis¬ 
cussed  as  well  as  user  roles  and  re¬ 
sponsibilities.  Points  of  contact  with¬ 
in  the  Information  Assurance  com¬ 
munity  are  provided. 

DOD  INFOSEC  Awareness 

This  interactive  CD- 
ROM  explains  the  need 
for  information  sys¬ 
tems  security  and  cites 
recent  examples  of  se¬ 
curity  violations.  The  user  will  learn 
the  definition  of  INFOSEC,  public 
laws  relevant  to  INFOSEC,  and  gov¬ 
ernment  policies  pertaining  to  IN¬ 
FOSEC.  Other  topics  covered  in¬ 
clude  external  threats  to  information 
security,  the  evolution  of  INFOSEC, 
user  roles  and  responsibilities,  and 
malicious  logic.  A  glossary  of  terms 
and  a  directory  of  where  to  find  help 
within  the  INFOSEC  community  are 
provided  for  reference. 

Federal  INFOSEC  A  wareness 

- -  This  interactive  CD- 

ROM  explains  the  need 
for  information  sys¬ 
tems  security  and  cites 
recent  examples  of  se¬ 
curity  violations.  This  product  is  in¬ 
tended  for  a  Federal,  non-DOD  audi¬ 
ence.  The  user  will  learn  the  defini¬ 
tion  of  INFOSEC,  public  laws  rele¬ 
vant  to  INFOSEC,  and  government 
policies  pertaining  to  INFOSEC. 


Other  topics  covered  include  exter¬ 
nal  threats  to  information  security, 
the  evolution  of  INFOSEC,  user  roles 
and  responsibilities,  and  malicious 
logic.  A  glossary  of  terms  and  points 
of  contact  within  the  Federal  INFOS¬ 
EC  community  are  provided  for  ref¬ 
erence.  1998  New  Media  Invision 
Award  nominee 

Introduction  to  the  Defense  Inf  or  mation 
Technology  Security  Certification  &  Ac¬ 
creditation  Process  (DITSCAP) 

PThis  interactive  CD- 
ROM  provides  the  user 
with  an  overview  of 
the  DITSCAP,  includ¬ 
ing  its  definition,  the 
evolution  of  information  systems  se¬ 
curity,  and  roles  and  responsibilities. 
Modules  2  through  5  cover  Defini¬ 
tion,  Verification,  Validation,  and 
Post-Accreditation.  All  modules  in¬ 
clude  an  overview  of  topics  covered, 
a  description  of  process  activities, 
and  individual,  team,  and  group 
roles  and  responsibilities. 


Information  Age  Technology 

«  This  interactive  CD- 

!«*«#«**« Ap  X  . 

ROM  includes  an 
|  if  overview  of  basic  infor- 

mation  technology  in- 
HSLe  frastructures,  such  as 
the  Defense  Information  Infrastruc¬ 
ture  (Dll),  National  Information  In¬ 
frastructure  (Nil),  Global  Informa¬ 
tion  Infrastructure  (Gil),  and  Intelli¬ 
gence  Information  Infrastructure 
(III).  Topics  covered  include  consid¬ 
erations  in  information  transporta¬ 
tion,  such  as  speed,  throughput,  se¬ 
curity,  cost,  and  distance.  Various 
types  of  media  for  sending  messages 
across  the  information  infrastructure 
are  also  discussed.  One  module 
highlights  the  hardware  and  re¬ 
sources  used  to  support  the  informa¬ 
tion  infrastructures,  with  an  empha¬ 
sis  on  communication  devices  used 
to  access,  process,  and  transmit  in- 
continued  on  page  20 
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Do  you  feel  secure  in 
your  decisions?  There  are 
many  descriptive  and  pre¬ 
scriptive  theories  for  risk- 
based  decision  making.  The  ker¬ 
nel  of  these  theories  is  a  drive  to¬ 
wards  "security’'  as  measured  by 
reasonable  assurances  in  conjunc¬ 
tion  with  acceptable  risks.  Such  se¬ 
curity  is  a  relative  feeling  or  per¬ 
ception  of  "comfort"  that  differs 

SECURITY  =  ,,Assuraflce,l^^,t8rtaiI^ty‘, 


among  people  and  situations,  thus 
giving  rise  to  fundamentally  differ¬ 
ent  decision-making  styles.  Specif¬ 
ically,  some  decision  makers  take 
greater  risks,  while  other  decision 
makers  seek  greater  assurances. 
Good  decision  makers  tend  to  be 
skilled  at  both  assessing  risks  and 
managing  assurances.  Based  on 
this  understanding  of  decision¬ 
making  styles,  the  term  "security" 
can  be  readily  defined  as  follows: 

Security  is  a  level  of  confidence 
based  on  both  the  assurance  that  a 
system  can  perform  as  required 
and  the  risk-related  certainty  that 
a  system  will  perform  as  required 
given  an  inherent  dynamic  threat 
environment  in  which  the  system 
exists. 

In  short,  security  is  the  intersec¬ 
tion  of  "can"  and  "will"  as  depicted 
by  the  Venn-diagram  in  Figure  1. 

Accurate  information  is  essen¬ 
tial  for  making  good  decisions... 
Decisions  are  in  essence  conclu¬ 
sions  drawn  from  information  de¬ 
rived  from  the  decision  making 
processes.  Data  feeding  into  the 
decision  processes  derive  from  the 
business  operations,  specifically 
from  the  information  in  operations 


Decision  Making 


as  well  as  the  intelligence,  and 
counterintelligence  processes.  In¬ 
herent  in  business  operations  in¬ 
formation,  for  example,  are  the  no¬ 
tions  of  quality  and  configuration 
control  information  along  with 
both  internal  and  external  compet¬ 
itive  forces  and  trends.  Conse¬ 
quently,  decisions  resulting  from 
such  information  tend  to  be  direc¬ 
tive  in  nature  feeding  back  into 
the  business  operations  through 
the  established  business  processes 
of  the  particular  business  or  orga¬ 
nization. 

The  evolution  of  technology 
and  the  drive  of  competitive  forces 
in  the  20th  century,  however,  have 
drastically  transformed  business 
processes,  operations,  and  organi¬ 
zational  structures  across  industri¬ 
alized  societies.  These  factors  have 
propelled  business  systems  along 
an  evolutionary  path  of  automa¬ 
tion,  federation  and  now  integra¬ 
tion.  Integration  goes  beyond  the 
automated  processes,  systems, 
and  businesses  across  common  in¬ 
frastructures.  Integration  dictates 
that  these  components  share  com¬ 
mon  information  across  the  com¬ 
mon  infrastructures  to  create  ef¬ 
fective  value  chains  in  product  de¬ 
velopment.  In  this  environment, 
information  dominance  and  infra¬ 
structure  superiority  are  essential 
foundations  for  conducting  inte¬ 
grated  business  operations. 

Well-integrated  information  op¬ 
erations  (10)  provide  the  function¬ 
al  information  link  within  busi¬ 
ness  operations  between  the  input 
and  output  of  the  decision  process. 
Figure  2  depicts  this  information 
perspective  of  the  decision 
process.  Information  assurance 
(IA),  information  warfare  (IW), 
and  information-in-operations 
(110)  form  the  three  functional 


groups  under  the  10  umbrella 
within  business  operations.  Fur¬ 
ther  division  of  these  functional 
groups  depends  on  the  specifics  of 
a  particular  organization's  busi¬ 
ness  operations  as  defined  through 
the  business  value  chain  support¬ 
ing  the  product  development 
cycle.  Applying  this  to  DoD  would 
entail  a  detailed  analysis  of  the 
coupled  life-cycle  acquisition,  sup¬ 
port  and  crisis  response  processes 
across  CINC's,  Services  and  Agen¬ 
cies  as  applied  to  products  such  as 
humanitarian  aid,  peace-keeping 
or  peace-making  and  is  thus  out¬ 
side  the  scope  of  this  article. 

The  net  effect  of  this  develop¬ 
ment  on  today's  decision-making 
process  is  an  increased  reliance  on 
closely  coupled  long  and  short 
term  decisions  in  maintaining  an 
active  business  stability  in  an  in- 
formation-rich,  highly  changeable 
environment.  This  is  in  direct 
contrast  to  traditional  business  sta- 
bility  achieved  by  the  inertia  of  hi¬ 
erarchical  organizational  struc¬ 
tures  and  redundant  processes, 
etc.  Active  stability  equates  to 
rapid  and  deliberate  decision  mak¬ 
ing  based  on  the  near-real-time 
coupling  of  information  to  and 
from  the  business  operations.  The 
fundamental  decision  process  has 
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thus  not  changed,  but  our  active 
reliance  on  the  process  has  dra¬ 
matically  increased  within  the  in¬ 
formation  age  and  thus  fueled  the 
interest  in  risk-based  decision 
making  methods?. 


STEADY  STATE  DECISION  MODEL. . . 

For  every  situation  some  mini¬ 
mum  acceptable  security  based  on 
some  measure  of  assurance  and 
measure  of  certainty  (risk)  exists. 
Figure  3  relates  this  concept  to  a 
heuristic  minimum  of  acceptable 
security.  As  the  figure  of  merit  in¬ 
dicates,  the  ideal  decision  case  is 
one  of  perfect  assurance  and  per¬ 
fect  certainty;  the  realistic  deci¬ 
sion  cases,  however,  tend  to  be 
within  the  acceptable  certainty 
(risk)  and  reasonable  assurance 
ranges.  The  figure  of  merit  ap¬ 
plies  the  Venn-diagram  definition 
of  security,  Figure  1,  as  the  prod¬ 
uct  of  assurance  and  certainty.  As¬ 
suming  these  are  normalized 
quantities,  i.e.,  defined  on  the  in¬ 
terval  of  l>x>0,  then  certainty  can 
be  interpreted  as  the  relative  ab¬ 
sence  of  risk  or  simply  1-Risk. 
Consequently,  we  obtain  a  rather 
elegant  algebraic  expression  for  se¬ 
curity: 

That  is,  security  is  defined  by 
the  assurance  less  that  portion  of 
assurance  sacrificed  through  risk. 
Zero  risk,  which  corresponds  to  a 
threat-free  environment,  implies 
that  our  security  is  defined  simply 
by  assurance,  i.e.,  our  confidence 
that  the  system  can  perform.  Con¬ 
versely,  total  risk  Of  unity,  i.e. 
Risk=1,  would  completely  sacri¬ 
fice  the  assurance  and  yield  zero 
security  as  one  would  expect. 
Short-term  or  tactical  decisions  are 
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generally  made  in  direct  response 
to  a  perceived  threat.  The  accept¬ 
able  risk  given  a  threat  scenario 
with  respect  to  the  minimum  ac¬ 
ceptable  security  in  light  of  de¬ 
fined  assurance  can  thus  be  char¬ 
acterized  as 
follows. 

The  degree 
of  risk  can  be 
Characterized 
through  a  sim¬ 
ple  figure  of 
merit,  illustrat¬ 
ed  in  figure  4, 
based  on  the 
product  of  im¬ 
pact  and  vul¬ 
nerability.  As 
the  heuristic  maximum  risk  accep¬ 
tance  curve  in  figure  4  suggests, 
high  impact  coupled  with  low  vul¬ 
nerability  or  high  vulnerability 
coupled  with  low  impact  are  both 
of  lesser  concern  than  a  moderate 
impact  combined  with  a  moderate 
vulnerability.  Because  human  na¬ 
ture  tends  to 
lead  us  to  focus 
on  extremes  ei¬ 
ther  in  terms 
of  impact  or 
vulnerabi  I  ity, 
we  usually  ig¬ 
nore  the  more 
common  mod¬ 
erate-moderate 
situations  in 
between.  Not 
only  can  these 
in-between  sit¬ 
uations  be  more  disconcerting,  but 
their  underlying  causal  relations 
can  result  in  domino  effects  with¬ 
in  the  middle  region  that  further 
enhance  the  expected  concavity  of 
the  risk  acceptance  curve  in  the 
figure  of  merit. 

As  the  additional  Venn-diagram 
in  figure  4  indicates,  vulnerability 
itself  can  be  viewed  as  a  com¬ 
pound  quantity  obtained  from  as¬ 
sessing  potential  system  weak¬ 
nesses  weighted  by  the  estimated 
probability  or  frequency  of  ex¬ 
ploitation  based  on  an  underlying 
understanding  of  threat.  Vulnera¬ 
bility  can  thus  be  interpreted  as  a 
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weighted  measure  of  likelihood. 
Impact,  however,  relates  to  the  po¬ 
tential  result  of  sacrificed  assur¬ 
ances.  Consequently,  defining  se¬ 
curity  at  any  point  in  time  relies 
on  assessing  "have"  and  "sacri¬ 
ficed"  assurances  relative  to  "re¬ 
quired"  assurances.  Two  key  sets 
of  metrics— required  assurances 
and  applicable  threats — emerge  as 
centra!  to  making  tactical  deci¬ 
sions  based  on  the  time-slice  per¬ 
spective  of  security. 

Required  assurances  and  applic¬ 
able  threats  are  both  related  to  the 
mission  and  vision  of  the  respec¬ 
tive  organization.  Consistently 
successful  decision  makers  usual¬ 
ly  have  a  firm  grasp  of  their  vision 
in  terms  of  goals  and  the  critical 
success  factors  that  determine 
how  well  the  goals  are  being 
achieved.  The  point  of  identifying 
required  assurances  is  to  define 
the  set  of  criteria  representing 
both  the  necessary  and  sufficient 
assurances  relative  to  the  critical 


success  factors.  In  this  way,  we 
focus  on  correctness  rather  than 
completeness.  Necessary  assur¬ 
ances  for  business  operations  in¬ 
clude  functionality,  reliability,  sur¬ 
vivability,  maintainability,  afford¬ 
ability  etc.  Sufficiency  of  each  of 
these  assurances  can  be  ensured 
by  mapping  the  defined  criteria  to 
the  assurance  services  of  confiden¬ 
tial  ity,  integrity,  availability,  ac¬ 
countability,  etc.  Based  on  an  as¬ 
surance  matrix  of  the  required  cri¬ 
teria,  assurances  can  be  parame¬ 
terized  and  weighted.  An  assess¬ 
ment  at  any  point  in  time  relative 
continued  on  page  VI 
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NAME 

Quick  Heal 
Command  Antivirus 
InoculatelT 
V-find  Security  Toolkit 
Wave  Anti-Virus 
F-Secure  Anti-Virus 
Ad  inf 
Dr.  Web 
EMD  Armor 

ESafe  Protect  Enterprise 
ESafe  Protect  Gateway 
NOD-iCE 

AVG  Anti-Virus  System 
IRiS  AntiVirus  Plus 
Antiviral  Toolkit  Pro 
VirusBuster 
Virus  ALERT 

PC  ScanMaster  for  VINES 
Server  ScanMaster  for  VINES  &  NT 
Dr.  Solomon’s  Anti-Virus  Toolkit 
McAfee  VirusScan 
NetShieldNT 
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See  What's  New  on  page  22  for 
summary  &  ordering  information. 

COMPANY 

Cat  Computer  Services 

Command  Software  Systems,  Inc 

Computer  Associates 

Cybersoft 

Cybersoft 

Data  Fellows 

Dialogue  Science 

Dialogue  Science 

EMD  Enterprises 

Esafe  Technologies 

Esafe  Technologies 

ESET 

Grisoft 

IRiS  Antivirus 
Kaspersky  Labs 
Leprechaun  Software 
Look  Software 
Netpro 
Netpro 

Network  Associates,  Inc. 

Network  Associates,  Inc. 

Network  Associates,  Inc. 


URL 

http://www.quickheal.com 
http://www.commandcom.com 
http://www.cai.com/cheyenne 
http://www.cyber.com 
http://www.cyber.com 
http://www.datafellows.com 
http://www.dials.ru 
http://www.dials.ru 
http://www.emdent.com 
http://www.esafe.com 
http://www.esafe.com 
www.eset.sk 
http://www.grisoft.com 
http://www.irisav.com 
http://www.avp.ru 
http://www.leprechaun.com.au 
http://www.look.com 
http://www.netpro.com 
http://www.netpro.com 
http://www.nai.com 
http://www.nai.com 
http://www.nai.com 
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See  What's  New  on  page  22  for 
summary  &  ordering  information. 


NAME 

COMPANY 

URL 

Invircible 

NetZ  Computing 

http://www.invircible.com 

ResQProf 

NetZ  Computing 

http://www.invircible.com 

Norman  Virus  Control 

Norman  Data  Defense  Systems 

http://www.norman.com 

ThunderBYTE 

Norman  Data  Defense  Systems 

http://www.norman.com 

DisQuick  Diskettes 

OverByte  Corporation 

http://www.disquick.com 

Panda  Antivirus 

Panda  Software 

http://www.pandasoftware.com 

Protector  Plus 

For  Windows  95/98,  Netware,  and  NT 

http://www.pspl.com 

DiskNet 

Reflex  Magnetics 

http://www.reflex-magnetics.co.uk 

MIMEsweeper 

Content  Technologies,  Inc. 

http://www.mimesweeper.com 

VirusNet  LAN 

Safetynet 

http://www.safetynet.com 

VirusNet  PC 

Safetynet 

http://www.safetynet.com 

AVAST 

Secu  renet 

http://www.securenet.org 

System  Boot  Areas  Anti-Virus  &  Crash  Recovery 

SBABR  http://www.sbabr.com 

Sophos  Sweep 

Sophos  Software 

http://www.sophos.com 

Integrity  Master 

Stiller  Research 

http://www.stiller.com 

Antigen  5  for  Lotus  Notes 

Sybari 

http://www.sybari.com 

Antigen  5  for  Microsoft  Exchange 

Sybari 

http://www.sybari.com 

Norton  Anti-Virus 

Symantec  Corporation 

http://www.symantec.com 

InDefense 

Tegam,  International 

http://www.indefense.com 

OfficeScan 

Trend  Micro 

http://www.antivirus.com 

ServerProtect 

Trend  Micro 

http://www.antivirus.com 

VET  Anti-Virus 

VET  Anti-Virus  Software  Pty  LTD 

http://www.vet.com.au/ 
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continued  from  page  11 

to  this  matrix  yields  the  "have," 
and  "sacrificed"  assurances  with 
respect  to  the  "required"  assur¬ 
ances.  In  terms  of  the  previously 
derived  definition  of  security,  this 
yields  a  relation  of  the  following 
form. 


Required  assurances  and  applic¬ 
able  threats  are  related  closely  and 
must  in  practice  be  developed  and 
assessed  concurrently.  Threat  sce¬ 
narios  must  be  developed  based 
on  motives,  methods,  and  opportu¬ 
nities  consistent  with  the  required 
assurances  but  also  from  the  per¬ 
spective  of  the  threat  agent.  For 
tactical  decisions  made  in  re¬ 
sponse  to  a  threat,  it  is  the  proba¬ 
bilistic  "likelihood"  that  is  crucial 
to  the  decision  maker,  thus  yield¬ 
ing  the  following  tactical  decision- 
making  figure  of  merit. 

TIME-INTEGRATED  DECISION  MODEL 
The  deliberate  decision  process 
guarantees  a  decision  made  by  a 
defined  decision  authority  as  op¬ 
posed  to  a  decision  reached  by 
committee.  The  deliberate  deci¬ 
sion  process  has  always  been  an 
important  asset  of  the  military 
based  on  the  concept  that  it  is 
riskier  not  to  make  a  decision  (i.e., 
allow  the  decision  to  be  made  for 
you)  than  to  risk  making  a  wrong 
decision.  The  timely  availability 
of  information  combined  with  the 
ability  to  interpret  the  information 
in  terms  of  required  assurances 
and  probable  risks  are  the  keys  to 
making  consistent  tactical  deci¬ 
sions  using  the  steady-state  deci¬ 
sion  model.  Furthermore,  seldom 
does  the  outcome  of  a  situation 
depend  on  a  single  decision.  Con¬ 
sistency  may  not  guarantee  that 
every  decision  will  be  correct,  but 
it  will  guarantee  likelihood  of  ex¬ 
pected  outcome  leveraged  across 
the  individual  decisions  of  a  com¬ 
mon  strategy.  The  time-slice  or 
instantaneous  notions  of  assur¬ 
ance  and  risk  are  important  for  in¬ 


time-integrated  perspective  be¬ 
comes  essential  for  strategic  deci¬ 
sions. 

Decisions  are  discrete  in  nature. 
If  we  consider  the  security  result¬ 
ing  from  a  typical  decision  as  a 
function  of  time,  we  note  that  se¬ 
curity  (due  to  inherent  uncertain¬ 
ty)  starts  out  comparatively  low 
but  increases  to  a  level  at  which 
point  in  time  the  real  benefits 
from  the  decision  can  be  harvest¬ 
ed.  Due  to  an  inherently  changing 
environment  (decreasing  assur¬ 
ance  with  increasing  risk),  securi¬ 
ty  will  tend  to  decrease  after  some 
point  in  time  without  re-evalua¬ 
tion  and  correction  of  required  as¬ 
surances  with 
respect  to  new 
and  evolving 
threats.  This  re- 
evaluation  and 
correction  of  re¬ 
quired  assur¬ 
ances  forms  an 
important  basis 
for  strategic  or 
long-term  deci¬ 
sions.  Strategi¬ 
cally,  it  is  impor¬ 
tant  to  make  the 
long-term  deci¬ 
sions  before  the  major  decrease  in 
security  occurs  so  as  to  allow  a 
transition  without  a  significant  de¬ 
crease  in  security  prior  to  some 
"sunset"  point.  In  this  way,  the  tac¬ 
tical  decisions  become  intimately 
coupled  with  the  strategic  deci¬ 
sions  within  the  overall  frame¬ 
work  of  the  organization's  vision 
and  the  evolution  of  an  inherent 
threat  environment.  Figure  5 
shows  this  strategic  perspective  by 
considering  such  long-term  deci¬ 
sions  as  "investments."  In  terms  of 
assurances,  the  "required,"  "have," 
and  "sacrificed"  factors  are  all 
time-dependent.  Similarly, 

threats,  and  subsequently  vulnera¬ 
bilities,  can  also  be  expected  to 
evolve  over  time.  Finally,  note  the 
initial  reinvestment  security  in  fig¬ 
ure  5  is  slightly  higher  than  the 
initial  investment  security  so  that 
the  algebraic  sum  of  the  ongoing 
investment  security  with  the  rein¬ 


vestment  security  at  every  point 
in  time  is  within  the  minimum  ac¬ 
ceptable  security  level.  Too  early 
or  too  late  reinvestment  results  in 
insecurity  similar  to  late  transi¬ 
tions  and  sunsets.  The  overall  in¬ 
vestment  strategy  must  be  in  line 
with  acceptable  minimum  securi¬ 
ty  and  consistent  with  the  overar¬ 
ching  vision. 

TAKE  HOME  MESSAGE... 

it  is  generally  held  that  people 
both  fear  and  dislike  change.  Yet, 
good  decision  makers  are  able  to 
embrace  change  and  harness  its 
potential  to  their  advantage.  Ef¬ 
fective  and  consistent  decision 


making  depends  on  a  systemic 
method  for  interpreting  assurance 
and  risk  in  such  a  way  so  as  to 
leverage  tactical  decisions  within  a 
strategic  framework.  Well- 
planned  strategic  decisions  in  con¬ 
junction  with  properly  leveraged 
tactical  decisions  are  the  key  to 
smooth  sailing  through  risky  wa¬ 
ters.  In  the  end,  decision  making 
is  neither  as  precise  as  a  science 
nor  as  subjective  as  an  art  form, 
but  it  is  a  statistically  predictable 
skill  that  anyone  can  in  principle 
master. 


Gar y  Lehman  is .... 
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Sandia  Researches  The  Next  Generation 
of  Security  Engineering  Tools 


Rick  Craft, 

Sandia  National  Laboratoriies 


ecurity  engineering,  as  it  is 
practiced  today,  is  largely  a 
manual  process.  Although  soft¬ 
ware  tools  do  exist  to  automate 
some  portion  of  the  security-engi¬ 
neering  life  cycle,  none  yet  support 
the  full  spectrum  of  activities  that 
can  be  performed  when  securing  a 
system.  In  general,  these  tools  are 
based  on  an  oversimplified  view  of 
the  system,  assume  that  known  vul¬ 
nerabilities  are  the  only  avenues  of 
attack  open  to  an  adversary,  and 
tend  to  apply  safeguards  in  a  pre¬ 
scriptive  fashion  that  fails  to  ac¬ 
count  for  both  the  unique  aspects  of 
the  system  at  hand  and  the  hidden 
costs  associated  with  selecting  spe¬ 
cific  safeguards.  Although  these 
tools  are  useful,  as  far  as  they  go, 
they  are  also  dangerous  if  trusted 
blindly. 

Because  security  engineering  is 
a  manual  process,  it  is  also  time- 
consuming  and  expensive.  Fur¬ 
ther,  it  can  be  an  error-prone 
process  because  the  quality  of  the 
process'  results  is  often  directly  re¬ 
lated  to  the  expertise  of  the  ana¬ 
lysts  securing  the  system.  At  the 
core  of  these  problems  is  the  reali¬ 
ty  that  security  engineering  is  still 
more  art  than  science. 

For  these  reasons,  in  1996  San¬ 
dia  National  Laboratories  began  to 
investigate  the  development  an 
open  framework  that  would  inte¬ 
grate  all  the  activities  associated 
with  the  engineering  of  secure  sys¬ 
tems.  As  it  was  conceived,  this 
framework  would  support  the 
analysis  and  safeguarding  of  multi¬ 
technology  systems  (not just  infor¬ 
mation  systems)  and  would  allow 
a  broad  range  of  security  engineer¬ 
ing  tools  to  be  used  in  a  mix  and 
match  fashion. 

After  studying  many  of  the 
methodologies  used  both  inside 


and  outside  the  information  secu¬ 
rity  community,  the  research 
team  formulated  an  approach  to 
security  engineering  that  unified 
various  security  engineering 
methods  by  means  of  an  explicit 
system  model.  In  this  approach, 
the  system  is  modeled  as  a  collec¬ 
tion  of  cooperating  components. 
These  components  can  represent 
tangible  items  such  as  computers, 
people,  or  buildings,  or  abstract 
entities,  such  as  mission-level 
functions  or  software  processes. 
In  building  the  model,  the  analyst 
documents  how  the  various  com¬ 
ponents  in  the  system  being  as¬ 
sessed  influence  one  another  and 
how  each  component  reacts  under 
various  influences.  Component 
vulnerabilities  are  treated  as  ex¬ 
tensions  to  the  component's  be¬ 
havior.  Threat  agents  and  safe¬ 
guards  are  treated  as  additional 
system  components  that  send,  re¬ 
ceive,  or  block  flows  in  the  system. 
Attacks  are  defined  as  the  series  of 
component  interactions  that  con¬ 
nect  initiating  events  with  unde¬ 
sired  outcomes  within  compo¬ 
nents  or  flows  between  compo¬ 
nents.  Given  the  system  model, 
analyses  consist  of  selecting  a 
point  in  the  system  model  to  in¬ 
vestigate  and  then  "slicing"  out  of 
the  system  model  those  parts  of 
the  model  that  affect  the  selected 
point  (either  directly  or  indirectly) 
or  those  parts  that  are  affected  by 
the  selected  point.  The  research 
team  showed  that  such  analysis 
can  be  done  automatically  with 
the  help  of  software  tools  and  can 
be  used  to  support  several  flow- 
based  analysis  techniques  (e.g., 
fault-tree  analysis  or  failure  modes 
and  effects  analysis). 

To  assess  the  feasibility  of  this 
security-engineering  approach, 


the  research  team  pro¬ 
duced  a  prototype  "tool  kit"  in  1998 
based  in  part  on  the  Rational  ?OK 
Rose  CASE  tool.  This  work  is  con¬ 
tinuing  in  the  context  of  a  source 
code  assessment  tool  being  devel¬ 
oped  at  Sandia.  By  the  end  of 
FY99  the  research  team  expects  to 
deliver  a  first  version  of  the  source 
code  assessment  tool  kit,  which 
will  include  the  ability  to  model 
the  software  system's  context  (e.g., 
the  external,  non-software  devices 
with  which  the  software  interacts) 
and  to  assess  the  system  and  its 
context  as  a  whole.  The  final  ver¬ 
sion  of  this  tool  kit  is  expected  to 
be  ready  by  the  end  of  FY01 . 

Although  Sandia's  research  has 
pointed  the  way  to  the  next  gener¬ 
ation  of  security  engineering  tools, 
the  research  has  also  highlighted 
several  problems  for  which  the  se¬ 
curity  community  currently  has 
no  good  answers.  Any  organiza¬ 
tions  wishing  to  discuss  the  results 
of  this  research  or  the  problems 
identified  can  contact  the  author 
at  505-844-8873  or  r  I  era  ft  (^san¬ 
dia.  gov. 


Rick  Craft  is  a  senior  member  of  the 
technical  staff  at  Sandia  National 
Laboratories ,  where  he  has  worked  since 
1981.  He  holds  an  MS  in  electrical  engi  ¬ 
neering  and  has  spent  the  majority  of  his 
career  in  system  analysis  and  software 
engineering.  Since  1992,  he  has  worked 
as  a  security  analyst  in  the  Information 
Systems  Surety  department  and  as  part 
of  Sandia's  Information  Design 
Assurance  Red  Team  (IDART)  activity. 
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The  public  perception  of  com¬ 
puter  security  is  shaped  by 
sensationalism  such  as  com¬ 
puter  virus  scares  and  stories 
of  teenagers  breaking  into  sensi¬ 
tive  military  systems,"  Professor 
Eugene  Spafford,  Director  of  the 
Center  for  Education  and  Research 
in  Information  Assurance  and  Se¬ 
curity  (CERIAS)  at  Purdue  Univer¬ 
sity,  Indiana  states,  “but  informa¬ 
tion  and  computing  security  is  far 
more  complex  than  that  and  in¬ 
volves  disciplines  including  sociol- 
ogy,  psychology,  criminology,  po¬ 
litical  science,  ethics,  manage¬ 
ment,  and  economics."  That's  why 
the  CERIAS  (pronounced  "seri¬ 
ous")  takes  a  multidisciplinary  ap¬ 
proach  to  information  protection. 


With  nearly  20  faculty  members 
from  eight  Purdue  departments 
and  the  aim  to  work  with  re¬ 
searchers  in  industry,  govern¬ 
ment,  and  other  academic  institu¬ 
tions  worldwide,  CERIAS  is  devot¬ 
ed  to  tackling  areas  of  information 
security  and  assurance  from  vari¬ 
ous  perspectives,  including- 


•  Computer  and  network  security 

•  Communications  security 

•  Public  policy  regarding  informa¬ 
tion  security 

•  Information  management  and 
policy  development 

•  Social,  legal,  and  ethical  aspects 
of  information  use  and  abuse 

•  Economics  of  information 
assurance 

•  Electronic  commerce  security 

•  Risk  management  for  comput¬ 
ing  systems  and  networks 

•  Awareness  and  training  meth¬ 
ods  for  INFOSEC  professionals 


-V  M 


J  J\!_  The  Next  Generation 

of  Computer  Security  Specialists 


*  Computer  crime  investigation 

and  response 

*  Information  warfare  issues. 

The  center,  which  was  founded 
in  May  1998,  leverages  the 
strengths  of  Purdue's  Computer 
Operations,  Audit,  and  Security 
Technology  (COAST)  laboratory. 

Spafford  established  the  COAST 
laboratory  in  1992  to  meet  the 
growing  need  for  research  and  ed¬ 
ucation  in  the  information  securi¬ 
ty  arena.  Since  then,  the  COAST 
laboratory  has  designed  and  devel¬ 
oped  many  widely  used  tools  and 
education  materials  in  computer 
security,  operations  systems,  and 
software  engineering.  Govern¬ 
ment  agencies,  businesses,  and 
academic  institutions  worldwide 
have  hailed  these  products  as 
models  for  their  usefulness. 
Today,  the  COAST  works  as  a  part¬ 
ner  with  the  newly  established 
center.  Because  of  its  association 
with  CERIAS,  COAST  is  now  one 
of  the  largest  academic  computer 
research  groups  in  the  world.  Ad¬ 
ditionally,  many  of  the  CS-specific 
laboratory  efforts  of  COAST  have 
become  CERIAS  efforts,  providing 
these  existing  efforts  with  access 
to  a  greater  resource  base  than  be¬ 
fore. 

"Information  security  is  the 
combination  of  computer  security 
and  communications  security,  un¬ 
fortunately  little  educational  infra¬ 
structure  exists  for  training  people 
to  deal  with  these  issues  and  none 
take  a  broad  view  of  the  problems 
involved,”  states  Spafford. 

In  addition  to  its  inclusion  of 
COAST  resources  and  faculty,  the 
CER I  AS-given  its  center  status-can 
leverage  resources  and  staff  from 
any  department  or  school.  Accord¬ 
ing  to  Spafford,  "No  other  place  in 


the  world  is  taking  the  big  picture 
that  we  do." 

CERIAS,  given  its  broad  re¬ 
sources  and  the  established  repu¬ 
tation  of  COAST,  has  already  at¬ 
tracted  professors  and  students 
from  13  countries.  In  addition,  40 
percent  of  the  students  are  female. 
The  diversity  of  the  faculty  and 
students  in  CERIAS  is  reflected  in 
its  numerous  ongoing  COAST  re¬ 
search  topics,  which  span  from  in¬ 
trusion  detection,  firewall  and 
software  evaluation,  authentica¬ 
tion,  and  security  archive  to  vul¬ 
nerabilities  database  and  testing. 
The  following  paragraphs  describe 
some  of  these  efforts. 

DEVELOPING  A  DIFFERENT  AP¬ 
PROACH  TO  INTRUSION  DETECTION 

Intrusion  detection  (ID)  is  a 
field  within  computer  security 
that  has  grown  rapidly  during  the 
last  few  years.  The  AAFID  (Au¬ 
tonomous  Agents  for  Intrusion  De¬ 
tection)  project  focuses  on  improv¬ 
ing  ID  methods. 

Traditional  intrusion  detection 
systems  (IDS)  collect  data  from 
one  or  more  hosts  and  process  the 
data  in  a  central  machine  to  detect 
anomalous  behavior.  This  ap¬ 
proach,  however,  prevents  scaling 
of  the  IDS  to  a  large  number  of  ma¬ 
chines  because  of  the  storage  and 
processing  limitations  of  the  host 
that  performs  the  analysis. 

The  AAFID  architecture  uses 
many  independent  entities  called 
"autonomous  agents,"  which  work 
simultaneously  to  perform  distrib¬ 
uted  ID.  Each  agent  monitors  cer¬ 
tain  aspects  of  a  system  and  re¬ 
ports  anomalous  behavior  or  oc¬ 
currences  of  specific  events.  For 
example,  one  agent  may  search  for 
incorrect  permissions  on  system 
files,  another  agent  may  search  for 
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Commands  to  the  monitor 


STATUS_UPBATE  NOTYPE  Olympus : CheckNFSsatver : 1. 010101: 0  -  905486222  Status  =>  X, 
STATUS_UPDATE  NOTYPE  gont: Checklnet: 1.  03:2  -  905486325  Status  =>  10,  Message  => 
STATUSJJPDATE  NOTYPE  gont: Checklnet: 1.  03:2  -  905486335  Status  *>  10,  Message  «> 
STATUSJJPDATE  N0TYPE  Olympus : CheckNFSserver :  1 .  010101 : 0  -  905486342  Status  =>  1, 


improper  configurations  of  a  FTP 
server,  and  yet  another  may 
search  for  attempts  to  perform  at¬ 
tacks  by  corrupting  the  ARP  (Ad¬ 
dress  Resolution  Protocol)  cache  of 
the  machine. 

The  results  the  agents  produce 
are  collected  on  a  per-machine 
level,  permitting  the  correlation  of 
events  reported  by  different 
agents  that  may  be  caused  by  the 
same  attack.  Furthermore,  reports 
produced  by  each  machine  are  ag¬ 
gregated  at  a  higher  (per-network) 
level,  allowing  the  system  to  de¬ 
tect  attacks  involving  multiple  ma¬ 
chines. 

The  AAFID  group  consists  of 
10  graduate  and  undergraduate 
students  within  the  COAST  labo¬ 
ratory.  They  released  a  prototype 
implementation  that  can  be  found 
at  the  AAFID  project  web  page  at 
http://www.cs.purdue.edu/coast 
/projects  /  autonomous- 
agents,  html/. 

Tripwire  * 

One  of  COAST's  better  known 
projects  is  Tripwire®.  It  was  pri¬ 
marily  a  project  of  Gene  Kim  and 
Professor  Spafford.  The  product  is 
now  the  most  widely  deployed  in¬ 
trusion  detection  security  tool 
worldwide.  Tripwire®  is  an  integri¬ 
ty  monitor  tool  for  Linux  and  Unix 
systems.  It  uses  message  digest  al¬ 
gorithms  to  detect  tampering  with 
file  contents,  as  might  be  caused 
by  an  intruder  virus.  In  December 
1997  Visual  Computing  Corpora¬ 
tion™  obtained  an  exclusive  li¬ 
cense  from  Purdue  University  to 
develop  and  market  new  versions 
of  the  product.  For  more  informa¬ 
tion  visit  http://www.tri pwirese- 
curity.com/. 

Underfire 

Underfire  is  an  ongoing  project 
started  in  1997.  The  Underfire 
team  consists  of  seven  COAST  stu¬ 
dents.  The  purpose  of  the  team's 
efforts  is  to  gain  direct  experience 
in  installing,  evaluating,  configur¬ 
ing,  and  using  different  firewall 
systems,  to  investigate  new  tech¬ 
nologies  for  network  perimeter  de¬ 


fenses,  including  next-generation 
networks  such  as  ATM,  and  to  in¬ 
vestigate  the  integration  of  host- 
and  network-based  security  mech¬ 
anisms  with  network  perimeter 
defenses.  The  Underfire  team's 
goal  is  to  create  an  architecture  for 
automated  firewall  testing.  The 
final  product  will  be  an  engine 
that  will  test  a  firewall  without 
human  interaction.  This  will  be 
achieved  with  a  modular  system 
composed  of  an  engine,  a  packet 
sniffer,  and  scripted  attacks.  The 
engine  will  execute  the  attacks  and 
use  the  packet  sniffer,  or  other 
networking  protocols,  to  test  the 
success  or  failure  of  the  attack.  Fi¬ 
nally,  a  report  may  be  generated 
automatically  that  will  explain  the 
weak  points  of  the  firewall  based 
on  the  attack  data. 

The  Underfire  team,  having  fin¬ 
ished  its  design  and  initial  imple¬ 
mentation  of  the  engine,  is  script¬ 
ing  known  attacks.  The  automatic 
report  generator  will  need  to  be 
completed  in  the  future.  Until 
now,  Underfire  has  taken  only  pro¬ 
tocol-level  attacks  into  account;  a 
future  step  will  be  to  extend  test¬ 
ing  to  the  application  level  such  as 


RPC  and  XII.  For  more  informa¬ 
tion  see  http://www.cs.purdue. 
ed u /coast/projects/f  i  rewa  1 1 s.  htm  I 

Achieving  Next  Generation 
Authentication 

Using  biometrics  devices  and 
tokens  such  as  smart  cards  and 
i Buttons,  several  research  and  ap¬ 
plication  development  projects  are 
being  conducted  in  the  COAST  lab¬ 
oratory  to  develop  ways  to  authen¬ 
ticate  users  to  systems.  The  first 
method  is  to  standardize  a  com¬ 
mon  programming  interface  utiliz¬ 
ing  on  a  PC/SC-compliant  smart 
card  resource  manager  written  in 
C++  and  cryptographic  libraries 
based  on  the  Public  Key  Cryptog¬ 
raphy  Standards  (PKCS-11  and 
PKCS-1 5)  specifications.  The  re¬ 
source  manager  allows  secure  re¬ 
mote  authentication  by  using  se¬ 
cure  channels  to  communicate  be¬ 
tween  multiple  resource  man¬ 
agers.  The  resource  manager  will 
be  used  to  develop  many  applica¬ 
tions  including  secure  login,  ssh, 
xlock,  ftp,  telnet,  etc.  using  plug¬ 
gable  authentication  modules 
(PAM)  along  with  smart  card  secu¬ 
rity.  Additionally,  students  are  in- 
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Director,  IATAC  _  . 

Providing  New 

IA  Support  to  the  Warfighter 


Io  support  emerging  warfighter 
Information  Assurance  (IA) 
needs,  IATAC  has  initiated  ef¬ 
forts  to  create  two  technical  re¬ 
ports  supporting  critical  informa¬ 
tion  assurance  (IA)  technologies— 
a  state-of-the-art  report  (SOAR)  on 
Data  Embedding  for  Information 
Assurance  and  a  critical  review 
and  technology  assessment 
(CR/TA)  report  on  Computer 
Forensics— Tools  and  Methodolo¬ 
gy.  Each  report  aims  to  provide 
the  warfighter  with  a  broader  un¬ 
derstanding  of  its  subject  matter, 
enabling  the  warfighter  to  apply 
that  knowledge  when  executing 
his  or  her  IA  roles  and  responsibil¬ 
ities.  The  following  paragraphs 
briefly  describe  each  report. 


DATA  EMBEDDING  FOR 
INFORMATION  ASSURANCE 

This  SOAR  introduces  data  em¬ 
bedding,  assesses  the  state-of-the- 
art  technologies  in  various  data 
embedding  applications,  and  ex¬ 
amines  the  IA  applications  of  data 
embedding  technologies.  The  in¬ 
troduction  to  data  embedding  re¬ 
views  relevantterminology,  offers 
a  historical  perspective  of 
steganography  and  digital  water¬ 


marking,  and  describes  in  detail 
the  types  and  uses  of  data  embed¬ 
ding.  A  state-of-the-art  assessment 
is  provided  for  the  following  appli¬ 
cations:  steganography  and  covert 
communications,  information  pro¬ 
tection,  intellectual  property  pro¬ 
tection,  and  defenses  and  attacks. 
The  report  examines  I A  applica¬ 
tions  of  data  embedding  such  as 
technologies  and  applications  that 
may  pose  a  specific  threat,  have  an 
offensive  application,  and  those 
that  may  be  used  for  defenseive 
measures. 

COMPUTER  FORENSICS- 
TOOLS  AND  METHODOLOGY 

This  CR/TA  report  introduces 
computer  forensics,  protocols  and 
procedures,  and  forensic  tools. 
The  introduction  to  computer 
forensics  examines  legal  require¬ 
ments  and  reviews  traditional 
computer  crimes  (e.g.,  crimes  of 
commerce,  violence)  and  new 


crimes  (e.g.,  telecommunications 
fraud,  computer  intrusion).  Proto¬ 
cols  and  Procedures  details  the 
computer  forensic  process,  includ¬ 
ing  acquisition  issues,  examina¬ 
tion  variants,  and  examination 
output  utilization.  Commercial-off- 
the-shelf  (COTS)  and  government- 
off-the-shelf  (GOTS)  forensic  tools 
are  assessed  regarding  their  ability 
to  support  evidence  preservation 
and  collection  activities.  The  re¬ 
port  also  identifies  analysis  tools 
that  support  data  recovery,  pattern 
and  string  matching,  and  file  and 
file  type  identification. 

The  SOAR  on  Data  Embedding 
for  Information  Assurance  and 
CR/TA  report  on  Computer  Foren¬ 
sics— Tools  and  Methodology  are 
scheduled  for  release  in  March 
1999.  For  more  information  on 
available  technical  reports,  contact 
IATAC  at  (703)  902-3177  or  via  e- 
mail  at  iatac@dtic.mil. 
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Harris  Corporation 


is  Your  WindowsNT  Computer? 


Snew  security  tool  available  from 
Harris  Corporation's  Electronic 
Systems  Sector  (Harris)  may 
help  users  detect  analyze,  and 
correct  known  security  vulnerabili¬ 
ties  associated  with  the  Microsoft 
Windows  NT  operating  system. 

The  Security  Test  and  Analysis 
Tool  (STAT)  uses  a  database  of  more 
than  350  NT  vulnerabilities  that 
have  been  verified  and  tested  in 
Harris  software  laboratories  to  iden¬ 
tify  existing  vulnerabilities  in  a 
user's  NT  network.  With  STAT,  users 
can  assess  vulnerabilities  in  a  single 
computer,  multiple  computers,  or  an 
entire  domain.  Additionally,  via  an 
annual  subscription  service  avail¬ 
able  from  Harris,  users  can  electron¬ 
ical  ly  update  the  ____ 

STAT  gmwmmi 

data - mm 

base  as  new  secu- 
rity  vulnerabili¬ 
ties  are  identified,  patches  are  re¬ 
leased,  and  enhancements  to  the 
functionality  of  the  tool  are  made. 

How  STAT  works 

STAT  automatically  installs  itself 
on  a  server  or  workstation  and 


When  the  test  is  complete  and 
vulnerabilities  have  been  detected, 
an  analysis  detailing  the  security 
vulnerabilities  is  provided.  The 
analysis  includes  the  name  of  the 
identified  vulnerability  and  its  de¬ 
scription  and  risk  level.  The  analysis 
also  offers  a  solution  to  correct  the 
vulnerability  and  links  to  related 
web  sites  and  Microsoft  knowledge 
base  articles.  Fixes  can  be  imple¬ 
mented  manually  or  by  an  auto-fix 
feature.  After  a  fix  is  implemented 
for  a  particular  vulnerability,  users 
can  immediately  retest  that  vulnera- 
bility  to  ensure  the  fix  was  success¬ 
ful.  STAT  also  lets  users  compare 
previous  and  current  assessments  to 
identify  any  changes  that  may  have 
occurred. 

I  tKKtt  m  Following  the  analy- 

1  jV _  sis,  a  report 

I  Mf  of  the  do- 

main  and  host  status  can  ei¬ 
ther  be  printed,  or  exported  and 
saved  as  a  text  file  that  can  be 
viewed  with  any  text  viewer.  Users 
can  format  the  reports  to  include  se¬ 
lected  hosts  or  entire  domains.  Users 
can  also  customize  these  reports  to 
create  a  view  of  the  network's  status 


queries  the  network  to  determine 
which  domains  and  hosts  are  pre¬ 
sent.  Users  then  choose  whether  to 
operate  STAT  across  single  or  multi¬ 
ple  domains.  STAT  then  identifies 
nodes  by  name,  address,  and  operat¬ 
ing  system.  After  the  domain  has 
been  identified,  the  program  can  ac¬ 
cess  either  individual  hosts  or  the 
entire  domain  for  security  vulnera¬ 
bilities.  The  default  configuration 
tests  for  all  vulnerabilities  currently 
available  in  the  STAT  database,  how¬ 
ever,  configuration  files  allow  users 
to  select  specific  vulnerabilities  that 
they  would  either  like  to  test  or  ig¬ 
nore  for  a  particular  assessment. 


that  is  appropriate  for  executives,  su¬ 
pervisors,  or  technicians. 

For  more  information,  visit  our 
website  at  http://www.STATon 
line.com  for  a  product  overview. 
This  web  site  also  features  a  security 
article  of  the  week,  frequently  asked 
questions,  and  links  to  other  com¬ 
puter  security  sites. 

Bill  Weill  is  a  senior  computer  security 
engineer  at  Harris .  He  received  his  B.S.  in 
Physics  from  Lenoir  Rhyne  and  his 
B.S.E.E.  from  the  Air  Force  Institute  of 
lechnology.  He  is  a  retired  Air  Force  Officer 
and  has  l^een  a  computer  security  analyst 
for  the  Air  Force  and  NASA. 
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Next  year  another  DEFCON  convention 
will  be  held  and  still  more  new  "weapons" 
will  be  released.  Although  the  outcome  of 
our  information  age  arms  race  is  yet  to  be 
determined,  vigilant  and  relentless  applica¬ 
tion  of  the  defensive  measures  described  in 
this  article  will  go  a  long  way  toward  thwart¬ 
ing  malicious  attacks.  Continued  research 
and  development  of  new  technologies,  such 
as  VPN  and  PKI,  also  promise  significant 
protection  in  the  near  future.  In  the  end, 
however,  all  these  modern  technologies  are 
still  based  on  denial  of  human  access  to  the 
control  pathways  of  a  computer  network- 
once  again  reinforcing  how  Strowger’s  con¬ 
cept  from  100  years  ago  remains  our  best  de¬ 
fense  today. 

ENDNOTES 

1  Freeman,  Roger  L,  Telecommunication  System 
Engineering,  3rd  Ed.,  John  Wiley  &  Sons,  Inc., 
1996,  p.  101. 

2Meinel,  Carolyn  P.,  "How  Hackers  Break  In. ..and 
How  They  Are  Caught,"  Scientific  American, 
October  1998,  pp.  98-105.  This  edition  provides 
a  number  of  excellent  articles  on  Network 
Security  to  include  new  defensive  tools  being 
implemented  and  in  development.  See  pages 
98-117. 
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formation  across  telecommunica¬ 
tions  systems.  Another  module  dis¬ 
cusses  transportation  modes  for  in¬ 
formation  flow  via  local  area  net¬ 
works  (LANs),  metropolitan  area 
networks  (MANs),  and  wide  area 
networks  (WANs).  Finally,  a  module 
on  information  flow  discusses  tools 
for  managing  network  resources. 
Examples  and  real  life  analogies  are 
given  throughout  the  presentation. 
The  Resources  section  contains  sev¬ 
eral  web  sites  to  learn  more  about 
topics  discussed  in  this  CD-ROM. 


Information  Assurance  (I A)  for  Auditors 
&  Evaluators 


This  interactive  CD- 
ROM  begins  by  identi¬ 


fying,  categorizing,  and 


detailing  examples  of 
computer  crime.  Topics 


of  I A  covered  include  threats;  coun¬ 


termeasures;  confidentiality,  integri¬ 
ty,  and  availability;  risk  and  risk 
management;  and  the 

advantages/vulnerabilities  of  net¬ 
worked  systems.  Laws  and  directives 
related  to  I A  are  also  discussed. 


Overviews  of  certification  &  accredi¬ 
tation  and  the  DITSCAP  are  encap¬ 
sulated  in  one  module.  Additionally, 
there  is  a  module  on  reliability  risk, 
data  testing  (general  controls,  appli¬ 
cation  controls,  access  controls),  re¬ 
porting  on  evidence,  and  key  steps 
in  assessing  reliability.  Finally,  there 
is  an  in-depth,  interactive  practical 
exercise  that  allows  the  user  to  as¬ 


sess  reliability  risk,  examine  system 
controls,  and  determine  the  degree 
of  data  testing  required.  The  user 
will  use  information  presented  in  a 
fictional  animated  film  to  follow  the 


audit  trail  of  a  rogue's  missile  pur¬ 
chases,  using  techniques  learned  in 
this  CD-ROM.  A  glossary  and  re¬ 
sources  section  is  included  in  this 


product 


FORTEZZA  Installers  Course  for  W  in- 


dows  NT 

mwm 

twwyiwii 

^ .  iMNRP  ‘ 


This  interactive  CD- 
ROM  is  designed  to  pro¬ 
vide  installers  with  a 
basic  level  of  instruc¬ 
tion  needed  to  install 


card  readers,  card  drivers,  and 


FORTEZZA-enabled  applications  dn 
PCs  running  Windows  NT.  Topics 
covered  include  concepts  of  PC  card 
technology,  including  PC  card  hosts 
and  sockets,  mechanical/electrical 
aspects  and  software,  and  PC  card 
use  and  compatibility.  The  installa¬ 
tion  of  PC  card  readers  and  drivers  is 
also  covered.  The  user  will  learn 
about  FORTEZZA  installers  con¬ 
cepts  (security  algorithms,  security 
services,  encryption,  and  certifi¬ 
cates)  as  well  as  FORTEZZA  applica¬ 
tions,  such  as  MS  ArmorMail  and 
AT &T  Secret  Agent.  T he  final  lesson 
is  a  diagnostics  and  troubleshooting 
session  that  allows  the  user  to  prac¬ 
tice  problem  resolution. 

Networks  at.  Risk 

A  10-minute  video  produced  by 
NCS  that  deals  with  hackers,  net¬ 
work  intrusion,  and  computer  secu¬ 
rity  in  the  workplace.  Topics  cov¬ 
ered  include  the  selling  of  electron¬ 
ic  information,  prevention  of  net¬ 
work  intrusions,  password  protec¬ 
tion,  and  the  importance  of  auditing 
network  security. 

Protect  Your  AIS 

A  15-minute  video  containing  six 
INFOSEC-related  dramatizations  of 
security  concerns  in  the  workplace. 
These  sketches  demonstrate  the 
need  for  password  protection,  virus 
prevention,  user  ID  security,  and 
controlled  access  to  computer 
equipment. 

The  Information  Frontline 

A  10- min ute  video  on  Defensive 
Information  Warfare  (IW-D)  aware¬ 
ness  that  demonstrates  how  infor¬ 
mation  is  easy  to  exchange  but  diffi¬ 
cult  to  protect,  the  types  of  IW 
threats  that  exist,  and  the  vulnera¬ 
bilities  of  information  systems.  Also 
describes  intelligence  agencies  that 
perform  IW-D  functions. 

Bringing  Down  the  House 

A  10-minute  video  describing 
various  hacker  intrusions  and  how 
they  relate  to  Information  Warfare. 
The  main  portion  of  the  video  cov¬ 
ers  how  hackers  use  the  informa¬ 


tion^  sli  perh  igh way to  '-achesi  sys 


Computer  Security  101  (DOJ) 

John  Walsh  of  America's  Most; 
Wanted  hosts  this  11-minute  video 
about  safeguarding  computer  infor¬ 
mation.  Three  aspects  of  computer 
security  are  discussed:  sensitive  in¬ 
formation  (what  kind  of  informa¬ 
tion  needs  to  be  protected),  risk 
management  (reasons  why  com¬ 
puter  security  is  important),  and  ac¬ 
countability  (assuming  responsibili¬ 
ty  for  protecting  one's  computer). 


Computer  Security,  The  Executive  Role 

(DOJ) 

This  9-minute  video  stresses  the 
need  to  protect  information  sys¬ 
tems  at  all  levels  of  government. 
The  user  should  be  aware  that  the 
Office  of  Management  and  Budget 
(OMB)  has  classified  all  federal  in¬ 
formation  as  "sensitive."  To  this 
end,  steps  to  secure  workspaces  and 
protect  data  are  delineated.  Topics 
covered  include  the  Computer  Se¬ 
curity  Act  of  1987,  types  of  threats 
to  information  systems,  and  risk 
management. 

Understanding  PKI  (DOD) 

This  13-minute  video  introduces 
the  concept  of  Public  Key  Infra¬ 
structure  (PKI)  and  how  it  can  be 
used  to  ensure  the  security  and  pri¬ 
vacy  of  cyber-based  transactions. 
Topics  covered  include  examples  of 
how  PKI  works,  why  it  is  necessary 
to  protect  the  Defense  information 
Infrastructure  (Dli)  and  National 
I  nformat ion  !  nf rastructure  (Nil), 
and  how  it  ensures  the  confidential¬ 
ity,  integrity,  non-repudiation,  and 
authentication  of  electronic  mes¬ 
sages  through  digital  signatures, 


Exploring  Ml  SSI 

This  10-minute  video  describes 
NSA's  framework  for  systems  secu¬ 
rity  across  the  Defense  Information 
Infrastructure  (Dll)  and  the  Nation¬ 
al  Information  Infrastructure  (Nil). 
Steps  that  have  been  taken  to  en¬ 
sure  the  integrity  and  safety  of  in¬ 
formation  are  discussed. 
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Order  Form 


How  did  you  hoar  about  our  products? 

O  DISSPatch  Owww  Q  Word  of  Mouth 

o  ♦Conference  { ^ *Clas3  *0t h er 

♦Specify _ 


INFOSEC  Program  Management  Office 

5111  Leesburg  Pike,  Suite  1 00 
Falls  C lurch  VA22041-3206 
Mn:  Product  DistribOti  on 

Commercial: 703-68 1-7944/ 1344  DSN / 76 1-7944 
Fex:  703-68 1-1386 
E-mail:  DODI AET  A@nct\  dsa  .mil 
Homepage:  htt  p://ww.  disa  m  ilfinfos  ec 


Mailing  Information 
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Address _ _  Fax _ _ 
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Ma/k  apptop  riateorganBation: 

O  Cl  NCI  Joint  Staff  QArmy  QNavy  OAF  Q  Marines  QOSD 
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Order  Form 

Products  ere  unclassified  ar/d  avaUsble  at  no  cost  Products,  excluding  CD-ROMs,  may  be  reproduced  ftor  government 

use  only)  without  further  permission.  . 
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!A  Anti-Virus  Tools  report  now  available 
to  registered  D  1 1C  users! 


The  report  provides  an  index  of 
anti-virus  tools  that  are  contained 
in  the  IATAC  IA  Tools  database. 
Each  entry  provides  an  overview 
of  the  product,  as  well  as,  contact 
information. 

Research  for  this  report  entailed 
reviewing  various  journals  and 
open  source  data.  A  total  of  60 
tools  were  identified  and  are  cur¬ 
rently  available  in  the  commercial 
marketplace.  The  products  listed 
have  all  been  tested  on  various 
platforms,  to  include,  DOS,  Win¬ 


dows,  Windows  95,  Windows  98, 
Windows  NT  Workstation,  Win¬ 
dows  NT  Server,  OS/2  Warp  and 
Netware. 

For  instructions  on  obtaining  a 
copy  of  the  report,  refer  to  the 
IATAC  Product  Order  Form,  oppo¬ 
site  on  page  21. 

COMING  IN  MARCH 

Data  Embedding  for 
Information  Assurance 
Computer  Forensics — 

Tools  and  Methodology 


Vulnerability  Analysis  Tools 
Report 

This  report  provides  an  index  of 
vulnerability  analysis  tool  descrip¬ 
tions  contained  in  the  I A  Tools  data¬ 
base.  It  summarizes  pertinent  infor¬ 
mation,  providing  users  with  a  brief 
description  of  available  tools  and 
contact  information.  It  currently 
contains  descriptions  of  35  tools 
that  can  be  used  to  support  vulner¬ 
ability  and  risk  assessment. 

Modeling  &  Simulation  Tech¬ 
nical  Report 

This  report  describes  the  mod¬ 
els,  simulations  and  tools  being 
used  or  developed  by  selected 
organizations  that  are  chartered 
with  the  l A  mission.  Data  collec¬ 
tion  efforts  focused  on  the  current 
definitions  of  Information 
Operations,  Information  Warfare, 
and  I A  as  described  in  DoD 


Directives  S-3600.1,  "Information 
Operations,”  anti  Chairman,  Joint 
Chiefs  of  Staff  Instruction  6510.1  A, 
“Defensive  Information  Warfare 
Policy In  addition,  the  definitions 
prescribed  by  DMSO  for  model 
and  simulation  were  used  to  deter¬ 
mine  what  entities  should  be 
included  in  this  IA  models,  simu¬ 
lations  and  tools  report. 

Intrusion  Detection  Report 

This  report  provides  an  index  of 
intrusion  detection  tool  descrip¬ 
tions  contained  in  the  IATAC  I A 
Tools  Database.  Information  was 
obtained  via  open  source  methods, 
including  direct  interface  with  var¬ 
ious  agencies,  organizations,  and 
vendors.  Research  for  this  report 
identified  43  intrusion  detection 
tools  currently  employed  and 
available. 


Malicious  Code  Detection  State- 
of-the-Art  Report  (SOAR) 

This  SOAR  includes  a  taxonomy 
for  malicious  software  to  provide 
the  audience  with  a  better  under¬ 
standing  of  commercial  malicious 
software.  An  overview  of  the  cur¬ 
rent  state-of-the-art  commercial 
products  and  initiatives,  as  well  as 
future  trends  is  presented.  The 
same  is  then  done  for  current 
state-of-the-art  in  regards  to  DoD. 
Lastly,  the  report  presents  obser¬ 
vations  and  assertions  to  support 
the  DoD  as  it  grapples  with  this 
problem  entering  the  21st  century. 
This  report  is  classified  and  has  a 
limited  release. 
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IMPORTANT  NOTE:  All  IATAC  Products  are  distributed  through  the  Defense  Technical  Information 
Center  (DTIC).  If  you  are  NOT  a  registered  DTIC  user ;  you  must  do  so  PRIOR  to  ordering  any  IATAC 
products.  To  register  with  DTIC  go  to  http:llwww.dtic.milldticlregprocess.html. 
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LIMITED  DISTRIBUTION 


QTY. 


PRICE  EA. 


EXTD.  PRICE 


In  order  for  NON-DoD  organizations  to  obtain  LIMITED  DISTRIBUTION  products,  a  formal  written  request  must  be  sent  to 
IAC  Program  Office,  ATTN:  Sherry  Davis,  8725  John  Kingman  Road,  Suite  0944,  Ft.  Belvoir,  VA  22060-6218 


Contract  No. _ _ _ 

For  contractors  to  obtain  reports,  request  must  support  a  program  &  be  verified  with  COTR 

COTR _ Phone _ 


□  Modeling  &  Simulation  Technical  Report 

No  Cost 

□  IA  Tools  Report  —  Firewalls 

No  Cost 

□  IA  Tools  Report  —  Intrusion  Detection 

HHH 

□  IA  Tools  Report  —  Vulnerability  Analysis 

|| 

□  Malicious  Code  Detection  SOAR  □  TOP  SECRET  □  SECRET 

Security  POC _  Security  Phone 


UNLIMITED  DISTRIBUTION 

QTY. 

PRICE  EA. 

EXTD.  PRICE 

G  Newsletters  (Limited  number  of  back  issues  available) 
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□  Vol.  2,  No.  1  □  Vol.  2  No.  2  □  Vol.  2  No.  3 

No  Cost 

ORDER  TOTAL 

Please  list  the  Government  Program(s)/Project(s)  that  the  product(s)  will  be  used  to  support:. 


Once  completed.  Fax  to  IATAC  at  703.902.3425 
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intrusion  Defer  hon  &  Res ponee 

San  Diego,  CA 

Features  in-depth  courses  taught 
by  SANS  faculty, 
call  301.951.0102 

www.sans.org/id/call.htm 

Southeast  Command,  Control, 
Communications,  Computers  & 
Intelligence  Conference  and 
Exposition 

Tampa,  FL 

Sponsored  by  the  AFCEA  Tampa- 

St.  Petersburg  Chapter 

call  J.  Spargo  &  Associates  Inc., 

703.631.6200 

www.jspargo.com/events.htm 

Fourth  Warfighter  Information 
Assurance  Symposium 

Kossiakoff  Center,  Johns 
Hopkins  University,  Laurel,  MD 
Sponsored  by  the  National 
Security  Agency,  Information 
Systems  Security  Organization 
call  410.850.7156 

warfighter@mcneiltechmd.com 


MAR 

15-17 


APR 

18-21 


MAY 

9-15 


InfoSec  World:  Open  Systems 
Security  99  and  ISSA  Annual 
Conference 

Orlando,  FL 

Topics  include  intrusion  detec¬ 
tion,  single  sign-on,  smart  card 
security  and  hacker  tools  and 
trends. 

www.misti.com 

Association  of  Old  Crows  (A0C) 
FIESTACR0W  '99 
San  Antonio,  TX 
Sponsored  by  the  Billy  Mitchell 
Chapter,  A0C  and  cosponsored 
by  AFCEA  Alamo  Chapter 
call  210.732.7697 
www .  f  i  esta  c  row .  ong 

SAN $99:  8th  International 
Conference  on  System 
A d m  i  n  i  s t r at i o n ,  N etwork i  ng 
and  Security 

Baltimore,  MD 

Covers  networking,  security  and 
intrusion  detection. 
www.sans.org 
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Falls  Church,  VA  22042 
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